Re: [TLS] Questions about TLS Server Name Indication extension

To: Nelson B Bolyard <nelson at bolyard.me>
Subject: Re: [TLS] Questions about TLS Server Name Indication extension
From: Wan-Teh Chang <wtc at google.com>
Date: Wed, 28 Oct 2009 12:30:27 -0700
Cc: Alexei.Volkov at sun.com, tls at ietf.org
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1256758231; bh=uPmBVX8zbC/fumf8LR+Ww1WG5l4=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=nLOer3RRgyMUexAuy4F6pSjSXG2n0xIwtd9aWFpvfeWlf1OV8i32gGYUSeMJv1iw4 9wRWlQ/zPG3GEkz8q9a7g==
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=WvlxBGYo3mzHpG3bB8t6hBh/twleE5og7wE1SBzQSyjv/hxF9AwNBVhNoViLIsVIe 60dqwphUIA/OvM67eBNWA==
In-reply-to: <4AE880CA.3060902 at bolyard.me>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <E1N32Q4-00072H-J3 at wintermute01.cs.auckland.ac.nz> <4AE880CA.3060902 at bolyard.me>

On Wed, Oct 28, 2009 at 10:35 AM, Nelson B Bolyard <nelson at bolyard.me> wrote:
>
> In the context of a physical server acting as multiple virtual server,
> is the space of session IDs coming from that server a single space that
> encompasses all the sessions for all the virtual servers served by that
> physical server?  Or does each virtual server have its own separate space?
>
> If each virtual server has its own separate session ID space, then when
> attempting to "resume" or "restart" a TLS session, the client hello MUST
> bear an SNI extension to inform the physical server which virtual server's
> session ID space contains the given session ID, and each virtual server
> potentially has its own separate session store/cache.

When attempting to resume a TLS session, the client hello must
bear an SNI extension for another reason: it's not guaranteed that
the server will accept the request to resume the session.  This issue
is discussed in Section 2.3 of the TLS extensions RFC 3546.  (The
RFC uses SHOULD instead of MUST.)

> OTOH, if there is a single session ID space for the entire physical server
> covering all the virtual servers, then each cached session must record and
> identify the virtual server with which it is associated.

If a client certificate is used in the session, it seems that the
session should only be associated with the virtual server that
authenticated the client certificate, as opposed to the entire
physical server covering all the virtual servers.  I guess there
are multiple ways to accomplish that.

Wan-Teh

Follow-Ups:
- Re: [TLS] Questions about TLS Server Name Indication extension
  - From: Nelson B Bolyard

References:
- Re: [TLS] Questions about TLS Server Name Indication extension
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Next by Date: Re: [TLS] [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] Questions about TLS Server Name Indication extension
Next by thread: Re: [TLS] Questions about TLS Server Name Indication extension
Index(es):
- Date
- Thread

Re: [TLS] Questions about TLS Server Name Indication extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.